Blog Detail


Laravel Honeypot - Prevent spam submitted through forms cover image

Laravel Honeypot - Prevent spam submitted through forms

When appending a form to a public site, there's a risk that spam bots will try to submit it with fake values. Fortunately, the majority of these bots are pretty dumb. You can stop most of them by adding an invisible field to your form that should never contain a value when submitted. Such a field is called a honeypot. Spatie introduced Laravel Honeypot that prevents spam submitted through forms. These spam bots will just fill all fields, including the honeypot.

Why choose Honeypot?

When a submission comes in with a filled honeypot field, Laravel Honeypot will reject that request. Moreover, this package also monitors how long it took to submit the form. This is done using a timestamp in another invisible field. If the form was submitted in an extremely short time, then the anti-spam will also be triggered.

After installing this package, all you need to do is to add the x-honeypot Blade component to your form.

<form method="POST">
    <x-honeypot />
    <input name="myField" type="text">


You can install this package via composer:

composer require spatie/laravel-honeypot

Optionally, you can publish the config file of the package.

php artisan vendor:publish --provider="Spatie\Honeypot\HoneypotServiceProvider" --tag=config

How to use it?

After the installation, you have to add the x-honeypot Blade component to any form you wish to protect.

<form method="POST" action="{{ route('contactForm.submit') }}")>
    <x-honeypot />
    <input name="myField" type="text">

Alternatively, you can utilize the @honeypot Blade directive:

<form method="POST" action="{{ route('contactForm.submit') }}")>
    <input name="myField" type="text">

Using either the Blade component or directive will add two fields: my_name and my_time (you can change the names in the config file).

Next, you must use the Spatie\Honeypot\ProtectAgainstSpam middleware in the route that handles the form submission. This middleware will intercept any request that submits a non-empty value for the key named my_name. It will also intercept the request if it is submitted faster than the encrypted timestamp that the package generated in my_time.

use App\Http\Controllers\ContactFormSubmissionController;
use Spatie\Honeypot\ProtectAgainstSpam;

Route::post('contact', [ContactFormSubmissionController::class, 'create'])->middleware(ProtectAgainstSpam::class);

If you want to integrate the Spatie\Honeypot\ProtectAgainstSpam middleware with Laravel's built-in authentication routes, wrap the Auth::routes(); declaration with the appropriate middleware group (make sure to add the @honeypot directive to the authentication forms).

use Spatie\Honeypot\ProtectAgainstSpam;
Route::middleware(ProtectAgainstSpam::class)->group(function() {

If your app has many forms handled by many different controllers, you could opt to register it as global middleware.

// inside app\Http\Kernel.php
protected $middleware = [
   // ...

Customize the generated honeypot fields

If you want to customize the output generated, you have to publish the honeypot view with:

php artisan vendor:publish --provider="Spatie\Honeypot\HoneypotServiceProvider" --tag=views

The view will be placed in resources/views/vendor/honeypot/honeypotFormFields.blade.php. This is the default content:

    <div id="{{ $nameFieldName }}_wrap" style="display:none;">
        <input name="{{ $nameFieldName }}" type="text" value="" id="{{ $nameFieldName }}">
        <input name="{{ $validFromFieldName }}" type="text" value="{{ $encryptedValidFrom }}">

You can also utilize laravel Honeypot with interia. If you want to explore this package, you can visit its full documentation on Github.

Published at : 01-09-2021

Author : Rizwan Aslam
Rizwan Aslam

I am a highly results-driven professional with 12+ years of collective experience in the grounds of web application development especially in laravel, native android application development in java, and desktop application development in the dot net framework. Now managing a team of expert developers at Codebrisk.

web application development client
web application development client
web application development client
web application development client
web application development client

Launch project